51 Tools for Security Analysts

Yesterday at Wordfence we had an “all welcome” technology sharing meeting with the entire company – or at least everyone that was available at the time. The meeting became so popular with our team that we had to upgrade the license we use for our real-time collaboration service to accommodate everyone. It is the largest team meeting we have had to date.

The goal of the call was to have an informal chat about some of the external security and investigative tools that our team finds useful. The meeting included most of our security services team, senior dev staff, security analysts including all senior analysts, team members from customer service and even execs.

I think we all learned something new and Brad, one of our senior analysts, was kind enough to compile the list of tools we chatted about in a shared document.

I know that many security analysts, WordPress developers and readers who are interested in security visit this blog. So I thought I’d share the list of tools the Wordfence team came up with so that if you work in security or just want to increase your cyber security literacy, you can benefit from this list too.

I should emphasize that this is by no means an exhaustive list of security tools. This list merely includes a few of the more interesting cyber security tools that came up in a 40 minute conversation with our team yesterday. We also have a suite of internal tools that are not included. If you have a personal favorite, you are most welcome to share it in the comments.

Reading this list may be worrying or intimidating for readers who don’t work in the security industry. You should know that all tools on this list are free and publicly accessible. They are also well known within the professional security community and among malicious actors. This list of tools, software and utilities should empower anyone interested in protecting themselves and their online assets by making you aware of the capabilities that exist for analysts and malicious actors. By better understanding the tools that your adversary uses, you can better protect yourself.

Information gathering and analysis

Google dorks – Using advanced operators in the Google search engine to locate specific strings of text within search results.

Using Google for penetration or malicious activity may seem silly or obvious, but Google is incredibly powerful and very popular among analysts and malicious actors alike. “Google dorks”, or google-hacks as they’re also known, are a search query that attackers use on Google to identify targets. If you visit a site like exploit-db.com or any other database of exploits, you’ll find that many of them include Google dorks to help find targets to attack with the exploit.

Maltego is one of our favorites. It is an investigator’s tool that lets you graphically organize your thoughts and your investigation by creating objects (people, places, devices, events) and link them. It also gives you the ability to run ‘transforms’ on objects. For example, you can run transforms on an IP address to list its malicious activity using external sources of threat intelligence. You can download a free version from Paterva which has some limitations.

You can see an example of the work we do with Maltego below.

FOCA – A tool used to find metadata and hidden information in the documents its scans.

When you create and publish MS Office, PDF, EPS and PS documents online, you may not realize how much information you are leaking to the general public. FOCA is a security analyst’s tool that can be used to extract ‘leaked’ data from documents that have been made public. Using FOCA, an analyst can find things like an organization’s network structure, IP addresses, internal server names, printers, shared folders, access control lists and more. You can watch this video filmed at DefCon 17 for a demo of how FOCA can be used by researchers or malicious actors to perform recon on a target organization or individual.

If you simply want to find a unique username, checkusernames.com is a useful tool. If you are in the security field, it can be a powerful way to attribute an attack to a specific individual. Malware authors occasionally include usernames or ‘hacker names’ in their malware. Using this tool you can search 160 online services to see if they have used the same username somewhere else.

The term ‘pwned’ is slang for ‘owned’ which in the security industry means “to have your data or system compromised”. So ‘haveibeenpwned.com’ is slang for “Have I been owned dot com”. This is a well known and respected site run by Troy Hunt which finds and aggregates data from data breaches. You can use the service to find out if an account has been compromised by looking up your email or username.

Censys – A search engine that allows computer scientists to ask questions about the devices and networks that compose the internet.

Censys is similar to Shodan in that it indexes devices and websites connected to the internet. The data is also searchable and differs from Shodan in some ways. Shodan is focused on ports and the services running on those ports. Censys is great at indexing web site SSL certificates among other things. Censys is maintained by a team of computer scientists at the University of Michigan and University of Illinois Urbana-Champaign.

Gephi – Visualization and exploration software for all kinds of graphs and networks.

We mentioned Maltego earlier in this post. It uses a ‘graph’ structure which is a diagram of linked objects to represent relationships. Gephi is a tool to analyze graph data at massive scale. We used Gephi to generate the graphical representations of attack data that we published in our February Attack report, seen below.

BuiltWith has a search engine-like interface and lets you search for a specific site to find out what tools were used to build it. BuiltWith also aggregates that data so that you can find out what the most popular technologies are on the web or how a specific technology is trending relative to another.

Wappalyzer – A cross-platform utility that uncovers the technologies used on websites.

Wappalyzer is another tool that helps you discover what technologies a specific site is using. Like BuiltWith, they also aggregate data to help you determine how technologies are trending. This is their view of the popularity of blog technologies, with WordPress clearly the market leader.

aw-snap.info includes a suite of tools that may be helpful for site owners who have decided to try to clean their own hacked site. It can help you fetch pages as Google, which sometimes reveals malware. It can also decode base64 obfuscated malware and help find obfuscation in your files that may hide malware.

This is a tool that performs a variety of reconnaissance operations on an organization and may be useful in the early stages of a penetration test to determine an organization’s overall online footprint.

BeEF is a powerful tool that lets penetration testers exploit and control a web browser. Using BeEF you can set up a malicious website, exploit a visiting browser and gain access to the workstation running the browser. You can watch this 2014 KiwiCon video for a demo.

Burp Suite is a very well known and powerful framework used to perform security audits and analysis on web applications. It includes a proxy that can intercept traffic and allow you to modify it on the fly. It includes a huge variety of exploit and penetration testing tools.

You have probably heard of the vulnerability scanning tool Nessus. Back in 2005 Tenable Network Security changed the Nessus open source license to a closed source one. The developers forked the project at that time and created OpenVAS.

I’ve found that OpenVAS can be quite effective, but it is a bit more challenging to set up than Nessus. OpenVAS does have the advantage of being completely free and open source. The project is well known throughout the online security community.

Forensics and log analysis

Lnav is short for log file navigator. It automatically detects your log file formats, provides syntax highlighting and a host of other features to view and analyze log files. It can be invaluable when analyzing a compromised website.

Mandiant (now owned by Fireeye) produced this useful product that can help analyze log files. It includes the ability to graphically view a histogram of log files and several other powerful log file analysis features.

This utility can download the original versions of WordPress core and plugin files and can help you compare them against their originals. Wordfence already does this from within WordPress, but this provides a command line tool to perform a similar action.

Access monitoring and logging/accounting is very helpful when monitoring a system to see if it is being attacked or performing an investigation after the attack. Auditd can help you improve logging and provide an audit trail on Linux.

‘Packing’ javascript is a favorite technique of hackers who are dropping malicious javascript on websites. It makes their code more compact and harder to read. Jsunpack can help de-obfuscate JS code to make it more readable so that you can understand how it operates.

Base64 encoding is a way to encode anything into an encoded string of (what appears to be) random characters. Anyone who is repairing hacked sites or responding to incidents uses base64 decoding several times a day to expose malicious code that has been base64 encoded. This tool can help decode base64 encoding.

URL encoding is also a popular way for hackers to hide their code, through encoding it using this form of encoding. urldecoder.org can help you decode malicious code that has been hidden using urlencoding.

Other tools

Regex, or regular expressions, are pattern matching routines to find complex patterns in files and code. We use regex extensively at Wordfence to help fix hacked sites and in our software and products.

In most systems, passwords are stored as hashes. Malware authors occasionally use hashing to store their own passwords. In our research we have needed to crack hashes that are used by malware authors in order to read their source code. HashKiller can help reverse a hash into a password if you need to crack a hash as part of your malware analysis.

Noscript – Noscript is a Firefox extension that allows Javascript, Java and Flash to only be executed by websites that you define and trust.

When visiting malicious websites, Noscript can help disable malicious code on that site. Note that you should always visit a malicious site that you are analyzing using a virtual machine that has no important data on it. If the VM gets infected, you can simply destroy it without worrying about important data being leaked. Using Noscript in your browser within your virtual environment can be useful when analyzing the function of a hacked site.

Other lists of tools

awesome-incident-response – A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.

OSINT Framework – OSINT is short for ‘open source intelligence’. This site provides a graphical directory of OSINT resources.

Kali Linux

Kali Linux is a linux distribution that is the favorite of penetration testers and security analysts world-wide. It is a linux distribution that comes packed with security analysis tools. If you want to learn about cyber security, Kali should be one of your starting points. If you simply would like to know about some of the more important tools that Kali provides, you can use the list below.

Kali Linux Tools Listing – All the tools in Kali Linux, a Linux variant used by penetration testers and security analysts.

Conclusion

The tools on this page can help you respond to an incident, test the security of your own website and better understand how attackers think and what tools they have available to them. As always I welcome your feedback in the comments and you are most welcome to suggest your own favorite security or analysis tools.